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DETAILED ACTION 

1. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.1 14, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
09/05/2007 has been entered. 

2. Claims 1 ,3-22 are amended. Claim 2 was previously canceled. Claims 1 ,3-22 are 
pending. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 1,3-8,10-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Milliken (US Patent 6,978,223 B2) in view of Ebata et al 
(hereinafter referred as Ebata) US Pub No 20020042837 and in further view of Zuk 
(US Pub No 2004/0030927 A1). 
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5. As per clairryl : Milliken discloses a method of tracking-back a malicious data 
'packet in a connection-oriented communication network, comprising the steps of: a) for 
a given time window (Time Period) extending over a configurable time period, 
computing a unique flow identifier (Flowld) for uniquely identify a given flow seen by a 
router interface (Incoming Link) at a network node (See Fig 8 steps 805,505,510, 515 
and col 3 lines 1 1-21); b) inserting said Flowld into a data structure associated to said 
Time Period and said Incoming Link, available at said network node (See Fig 8 steps 
805,505,510,515); c) storing said data structure in a searchable repository at said 
network node(Fig 4 step 405 and col 6 lines 12-37); and d) repeating steps a) to c) for a 
next Time Period and for each Incoming link at said network node(See Fig 10). 

Miliken does not disclose determining the time of arrival X of said malicious 
packet at said network node and computing flowid for said malicious packet; and 
identifying said incoming link for said malicious packet by searching for the flowid of 
said malicious packet in all data structures for said network node that cover the time of 
arrival X. 

However Ebata discloses determining the time of arrival X of said malicious 
packet at said network node and computing flowid for said malicious packet 
(0015,0049,0056); and identifying said incoming link for said malicious packet by 
searching for the flowid of said malicious packet in all data structures for said network 
node that cover the time (See 001 5,0049,0056). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Mikkiken to include e) 
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determining the time of arrival X of said malicious packet at said network node and 
computing Flowld for said malicious packet; and f) identifying said Incoming Link for 
said malicious packet by searching for the Flowld of said malicious packet in all data 
structures for said network node that cover the time of arrival X. This modification would 
have been motivated to do so, as suggested by, (See Milliken col 3 lines 8-10) inorder 
to determining network performance parameters based on the determined temporal 
behavior. 

The combination of Miliken and Ebata do not explicitly teach router interface a 
said network node, for all packets seen at respective router interface over successive 
time windows, for populating said data repository with a plurality of data structures, each 
associated to a respective time period and a one of said respective router. 

However Zuk teaches router interface a said network node, for all packets seen 
at respective router interface over successive time windows, for populating said data 
repository with a plurality of data structures, each associated to a respective time period 
and a one of said respective router and single malicious packet (See 0008, 0022,0081 
and Fig 2 step 230). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Miliken and Ebata to include 
router interface at said network node, for all packets seen at respective router interfaces 
over successive time windows, for populating said data repository with a plurality of data 
structures, each associated to a respective time period and a one of said respective 
router interfaces and single malicious packet. This modification would have been 
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motivated to do so, as suggested by, (Zak 0008) inorder to determined a single flow 
record associated with the packet. 

6. As per claim 3: the combinations of Milliken-Ebata-Zuk disclose further 
comprising tracing-back hop by hop the source of said single packet from said router, by 
performing steps e) and f) for each network node along the path of said single malicious 
packet (See Zuk 0022,0075). 

7. As per claim 4: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein step a) is based on flow definition adopted for said network (See Milliken Fig 1 
and col 4 lines 17-38). 

8. As per claim 5: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein step a) comprises applying a specified function to one or more header fields of 
each packet received in said flow (See Milliken Fig 5 steps 505,510,515). 

9. As per claim 6: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein step a) comprises applying a specified function to one or more header fields of 
each packet received in said flow and an incoming interface identification parameter 
(See Milliken Fig 10 step 1015 and Fig 8 step 805). 

10. As per claim 7: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein step a) comprises applying a specified function to one or more characteristics 
of each packet (See Milliken Fig 5 steps 505,510,515 and col 3 lines 11-20). 

11. As per claim 8: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein step a) comprises applying a specified function to one or more characteristics . 
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of each packet received in said flow and an incoming interface identification parameter 
(See Milliken Fig 5 steps 505,510,515 and col 3 lines 11-20). 

12. As per claim 10: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein said searchable repository is maintained for each router interface at said 
network node (See Milliken Fig 7 step 705 and col 3 lines 38-40). 

1 3. As per claim 1 1 : the combinations of Milliken-Ebata-Zuk disclose the method 
wherein said searchable repository stores all said data structures for all router interfaces 
at said network node (See Milliken Fig 10 steps 1010,1015). 

14. As per claim 12: the combinations of Milliken-Ebata-Zuk disclose the method 
wherein said searchable database is a centralized searchable repository maintained for 
said network (See Milliken Fig 4 and col 6 lines 11-37). 

1 5. As per claim 13: Milliken discloses a method of tracking-back a malicious data 
packet in a connection-oriented communication network, comprising the steps of: a) for 
a given time window (Time Period) extending over a configurable time period, 
computing a unique flow identifier (Flowld) for uniquely identifying a given flow seen by 
a router interface (Incoming Link) at a network node based on a flow characterization 
parameter obtained from management system (See Fig 8 steps 805,505,510, 515 and 
col 3 lines 11-21); b) inserting said Flowld into a data structure associated to said Time 
Period and said Incoming Link, available at said network node (See Fig 8 steps 
805,505,510,515); c) storing said data structure in a database that is centralized 
searchable repository(Fig 4 step 405 and col 6 lines 12-37); and d) repeating steps a) to 
c) for a next Time Period and for each Incoming link at said network node(See Fig 10). 
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Milliken does not explicitly teach e) finding in said searchable repository the 
incoming link for said malicious packet based on a Flowid and a time of arrival X of said 
malicious packet. 

However Ebata disclose e) finding in said searchable repository the incoming link 
for said malicious packet based on a Flowid and a time of arrival X of said malicious 
packet (See 0015,0049). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Mikkiken to include finding in 
said searchable repository the incoming link for said malicious packet based on a 
Flowid and a time of arrival X of said malicious packet. This modification would have 
been motivated to do so, as suggested by, (See Milliken col 3 lines 8-10) inorder to 
determining network performance parameters based on the determined temporal 
behavior. 

The combination of Miliken and Ebata do not explicitly teach router interface a 
said network node, for all packets seen at respective router interface over successive 
time windows, for populating said data repository with a plurality of data structures, each 
associated to a respective time period and a one of said respective router and single 
malicious packet. 

However Zuk teaches router interface a said network node, for all packets seen 
at respective router interface over successive time windows, for populating said data 
repository with a plurality of data structures, each associated to a respective time period 
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and a one of said respective router and single malicious packet (See 0008, 0022,0081 
and Fig 2 step 230). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Miliken and Ebata to include 
router interface at said network node, for all packets seen at respective router interfaces 
over successive time windows, for populating said data repository with a plurality of data 
structures, each associated to a respective time period and a one of said respective 
router interfaces and single malicious packet. This modification would have been 
motivated to do so, as suggested by, (Zak 0008) inorder to determined a single flow 
record associated with the packet. 

1 6. As per claim 14: Milliken disclose a system for tracking-back a malicious data 
packet in a connection-oriented communication, comprising: means for computing a 
unique flow identifier Flowld for each packet of a flow seen by a router interface 
(Incoming Link) at a network node over a given period of time (Time Period); means for 
inserting said Flowld into a data structure associated to said Time Period (See Fig 8 
steps 805,505,510, 515), and said Incoming Link available for said network node; a 
database that is a centralized searchable repository for storing said data structure(Fig 4 
step 405 and col 6 lines 12-37). 

Miliken does not explicitly teach a search engine for finding in said searchable 
repository the Incoming Link for said malicious packet based on a Flowld and a time of 
arrival X of said malicious packet. 
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However Ebata discloses a search engine for finding in said searchable 
repository the Incoming Link for said malicious packet based on a Flowld and a time of 
arrival X of said malicious packet (See 0015,0049,0056). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Milliken to include a single 
malicious packet. This modification would have been motivated to do so inorder to 
enhance the security of the system. 

The combination of Miliken and Ebata do not explicitly teach single malicious 
packet. 

However Zuk teaches about single malicious packet. (See 0008 and abstract). 

Therefore it would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Miliken and Ebata to include 
single malicious packet. This modification would have been motivated to do so, as 
suggested by, (Zak 0008) inorder to determined a single flow record associated with the 
packet. 

1 7. As per claim 1 5: the combinations of Milliken-Ebata-Zuk teach the system further 
comprising a flow-based monitoring system for tracking back hop-by-hop the source of 
said single malicious packet (Zuk 0022,0075). 

18. As per claim 16: the combinations of Milliken-Ebata-Zuk teach the system 
wherein one said searchable repository is maintained for each interface at said network 
node (See Milliken Fig 7 step 705 and col 3 lines 38-40). 
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19. As per claim 17: the combinations of Milliken-Ebata-Zuk teach the system of 
wherein one said searchable repository is maintained for said network node (See 
Milliken Fig 4 and col 6 lines 1 1-37). 

20. As per claim 1 8: the combinations of Milliken-Ebata-Zuk teach the system of 
wherein said searchable repository is a centralized database maintained for said 
network (See Milliken Fig 4 and col 6 lines 11-37). 

21 . As per claim 1 9: the combinations of Milliken-Ebata-Zuk teach the system of 
further comprising a flow based monitoring system for providing a flow characterization 
parameter to said means for calculating (See Milliken Fig 12 step 1210). 

22. As per claim 20: the combinations of Milliken-Ebata-Zuk teach the system further 
comprising a flow management system for generating a flow characterization parameter 
(See Milliken Fig 9 step 915). 

23. As per claim 21 : the combinations of Milliken-Ebata-Zuk teach the system of 
wherein said means for computing is a Flowld calculator for computing said Flowld form 
one or more of packet header fields, packet characterization parameters and interface 
identification information (See Milliken Fig 12 steps 1230,1235). 

24. As per claim 22: the combinations of Milliken-Ebata-Zuk teach the system 
wherein said means for computing is a Flowld calculator for computing said Flowld form 
packet header information (See Milliken Fig 12 step 1205). 

25. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Milliken (US Patent 6,978,223 B2) in view of Ebata et al (hereinafter referred as 
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Ebata) US Pub No 20020042837 and in further view of Zuk (US Pub No 
2004/0030927 A1) and further in view of Snoeren et al (Hash based IP Traceback, 
27 Augest2001). 

26. As per claim 9: the combination of Milliken-Ebata-Zuk teach claim 1 as recited 
above. Milliken and Ebata do not explicitly teach the method wherein said data structure 
is a hash table based on a Bloom filter. However Snoeren teach the method wherein 
said data structure is a hash table based on a Bloom filter (See page 2 first paragraph). 

Therefore It would have been obvious to one ordinary skill in the art at the time 
the invention was made to modify the teaching method of Milliken-Ebata-Zuk to include 
the method wherein said data structure is a hash table based on a Bloom filter. This 
modification would have been motivated to do so, as suggested by, (Snoeren page 2) 
inorder to reduce the memory requirement through the use of Bloom filter. 

Conclusion 

27. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. See PTO 892. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Fikremariam Yalew whose telephone number is 
5712723852. The examiner can normally be reached on 9-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Moazzami Nasser can be reached on 571-272-4195. The fax phone 
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number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Fikremariam Yalew Art Unit 21 36 
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